• No results found

Traceroute

In document Hackers Beware pdf (Page 114-120)

Because we obtained the information we needed from an ARIN search, traceroute is not necessary, but let’s perform some tests anyway just to confirm our results. First, let’s perform a traceroute to 10.246.68.144 because we know it is a valid address. When we do this, we get the following results:

Tracing route to [10.10.10.5] over a maximum of 30 hops:

1 2 ms 3 ms 3 ms 10.246.68.1 2 4 ms 7 ms 4 ms 10.5.5.1 3 9 ms 7 ms 7 ms 10.6.5.1 4 12 ms 7 ms 7 ms SOMENAME.LOCATION. NET [10.7.1.1] 5 ms 11 ms 11 ms SOMENAME.LOCATION. NET [10.8.1.1] 6 11 ms 18 ms 21 ms SOMENAME.LOCATION. NET [10.9.1.1] 7 120 ms 96 ms 119 ms SOMENAME.LOCATION. NET [10.10.1.1] 8 82 ms 125 ms 82 ms SOMENAME.LOCATION. NET [10.11.1.1] 9 97 ms 92 ms 156 ms SOMENAME.LOCATION. NET [10.12.1.1] 10 81 ms 82 ms 82 ms EXTERNAL.ROUTER.LOCATION. NET

11 81 ms 86 ms 108 ms FIREWALL 10.14.1.1

12 109 ms 85 ms 90 ms LOCATION. NET [10.248.68.144] Trace complete.

Now we know the address for the external router and firewall. All traffic going to this network has to go through this router, unless it has a second connection. If it did have a second connection, we would see the other external router address when we ran traceroutes to other addresses and it would record that also. In this case, let’s assume a single connection to the Internet. Now, let’s run a trace to 10.246.68.1 to see the range of addresses it has:

Tracing route to [10.10.10.5] over a maximum of 30 hops:

1 2 ms 3 ms 3 ms 10.246.68.1 2 4 ms 7 ms 4 ms 10.5.5.1 3 9 ms 7 ms 7 ms 10.6.5.1 4 12 ms 7 ms 7 ms SOMENAME.LOCATION. NET [10.7.1.1] 5 8 ms 11 ms 11 ms SOMENAME.LOCATION. NET [10.8.1.1] 6 11 ms 8 ms 21 ms SOMENAME.LOCATION. NET [10.9.1.1] 7 120 ms 96 ms 119 ms SOMENAME.LOCATION. NET [10.10.1.1] 8 82 ms 125 ms 82 ms SOMENAME.LOCATION. NET [10.11.1.1] 9 97 ms 92 ms 156 ms SOMENAME.LOCATION. NET [10.12.1.1] 10 81 ms 82 ms 82 ms EXTERNAL.ROUTER.LOCATION. NET [10.13.1.1] 11 81 ms 86 ms 108 ms FIREWALL 10.14.1.1 12 109 ms 85 ms 90 ms LOCATION. NET [10.246.68.1] Trace complete.

Let’s also trace to 10.246.68.254: Tracing route to [10.10.10.5] over a maximum of 30 hops:

1 2 ms 3 ms 3 ms 10.246.68.1 2 4 ms 7 ms 4 ms 10.5.5.1 3 9 ms 7 ms 7 ms 10.6.5.1

4 12 ms 7 ms 7 ms SOMENAME.LOCATION. NET [10.7.1.1]

5 8 ms 11 ms 11 ms SOMENAME.LOCATION. NET [10.8.1.1] 6 11 ms 18 ms 21 ms SOMENAME.LOCATION. NET [10.9.1.1] 7 120 ms 96 ms 119 ms SOMENAME.LOCATION. NET [10.10.1.1] 8 82 ms 125 ms 82 ms SOMENAME.LOCATION. NET [10.11.1.1] 9 97 ms 92 ms 156 ms SOMENAME.LOCATION. NET [10.12.1.1] 10 81 ms 82 ms 82 ms EXTERNAL.ROUTER.LOCATION. NET [10.13.1.1] 11 81 ms 86 ms 108 ms FIREWALL 10.14.1.1 12 109 ms 85 ms 90 ms LOCATION. NET [10.246.68.254] Trace complete.

By analyzing the results, we now see that they have the entire last octet. Now we need to see if they also have all or some of the second octet. If we trace to anything in 10.246.x, we get the following results:

Tracing route to [10.10.10.5] over a maximum of 30 hops:

1 2 ms 3 ms 3 ms 10.246.68.1 2 4 ms 7 ms 4 ms 10.5.5.1 3 9 ms 7 ms 7 ms 10.6.5.1 4 12 ms 7 ms 7 ms SOMENAME.LOCATION. NET [20.7.1.1] 5 8 ms 11 ms 11 ms SOMENAME.LOCATION. NET [20.8.1.1] 6 11 ms 18 ms 21 ms SOMENME.LOCATION. NET [20.9.1.1] 7 120 ms 96 ms 119 ms SOMENAME.LOCATION. NET [20.10.1.1] 8 82 ms 125 ms 82 ms SOMENAME.LOCATION. NET [20.11.1.1] 9 97 ms 92 ms 156 ms SOMENAME.LOCATION. NET [20.12.1.1] 10 81 ms 82 ms 82 ms EXTERNAL.ROUTER.LOCATION. NET [20.13.1.1] 11 81 ms 86 ms 108 ms FIREWALL 20.14.1.1 12 109 ms 85 ms 90 ms LOCATION. NET [10.246.x.x] Trace complete.

Because these traces go to a totally different location, this shows us that none of these addresses belong to the company and that its address space

is 20.246.68.x. Now we know the range of its network and can finish mapping it out.

Protection

Traceroute is hard to protect against because if you disable ICMP traffic, which is what traceroute uses, you loose a valuable troubleshooting tool. Once again, using private addresses inside your firewall limits the

machines to which an attacker could traceroute. You could block ICMP traffic at your external router, which would help with this problem, but this would severely limit your ability as an administrator. Remember, even if we did not use traceroute, we still received the information we needed from ARIN.

Remember to enforce a principle of least privilege on your systems and network. Give entities the access they need to do their job and nothing else. If it is critical for people to have the ability to run external

traceroutes, then you might not be able to disable it. On the other hand, if it is not needed, then it should be disabled.

Ping

At this point, we know what addresses belong to Company X, and we want to see what machines are active. The easiest way to do this is to ping the entire range of addresses and see which ones respond. When we run the ping at 2:00 in the morning, we get the following results (to conserve space, we will only show the results for the first 50 machines):

10.246.68.1 : Answered in 3 msecs 10.246.68.2 : Answered in 21 msecs 10.246.68.3 : Answered in 7 msecs 10.246.68.4 : Answered in 7 msecs 10.246.68.5 : Answered in 11 msecs 10.246.68.6 : Answered in 37 msecs 10.246.68.7 : Answered in 73 msecs 10.246.68.8 : Answered in 27 msecs 10.246.68.9 : Answered in 17 msecs 10.246.68.10 : Answered in 71 msecs 10.246.68.11 : Request timed out 10.246.68.12 : Request timed out 10.246.68.13 : Request timed out 10.246.68.14 : Request timed out 10.246.68.15 : Request timed out 10.246.68.16 : Request timed out 10.246.68.17 : Request timed out 10.246.68.18 : Request timed out 10.246.68.19 : Request timed out 10.246.68.20 : Request timed out

10.246.68.21 : Request timed out 10.246.68.22 : Request timed out 10.246.68.23 : Request timed out 10.246.68.24 : Request timed out 10.246.68.25 : Request timed out 10.246.68.26 : Request timed out 10.246.68.27 : Request timed out 10.246.68.28 : Request timed out 10.246.68.29 : Request timed out 10.246.68.30 : Request timed out 10.246.68.31 : Request timed out 10.246.68.32 : Request timed out 10.246.68.33 : Request timed out 10.246.68.34 : Request timed out 10.246.68.35 : Request timed out 10.246.68.36 : Request timed out 10.246.68.37 : Request timed out 10.246.68.38 : Request timed out 10.246.68.39 : Request timed out 10.246.68.40 : Request timed out 10.246.68.41 : Request timed out 10.246.68.42 : Request timed out 10.246.68.43 : Request timed out 10.246.68.44 : Request timed out 10.246.68.45 : Request timed out 10.246.68.46 : Request timed out 10.246.68.47 : Request timed out 10.246.68.48 : Request timed out 10.246.68.49 : Request timed out 10.246.68.50 : Request timed out

We then ran it at 2:00 in the afternoon and received the following results: 10.246.68.1 : Answered in 3 msecs 10.246.68.2 : Answered in 21 msecs 10.246.68.3 : Answered in 7 msecs 10.246.68.4 : Answered in 7 msecs 10.246.68.5 : Answered in 11 msecs 10.246.68.6 : Answered in 37 msecs 10.246.68.7 : Answered in 73 msecs 10.246.68.8 : Answered in 27 msecs 10.246.68.9 : Answered in 17 msecs 10.246.68.10 : Answered in 71 msecs 10.246.68.11 : Answered in 10 msecs 10.246.68.12 : Request timed out 10.246.68.13 : Request timed out 10.246.68.14 : Answered in 17 msecs 10.246.68.15 : Answered in 17 msecs 10.246.68.16 : Request timed out

10.246.68.17 : Request timed out 10.246.68.18 : Answered in 17 msecs 10.246.68.19 : Request timed out 10.246.68.20 : Request timed out 10.246.68.21 : Answered in 12 msecs 10.246.68.22 : Answered in 12 msecs 10.246.68.23 : Request timed out 10.246.68.24 : Request timed out 10.246.68.25 : Answered in 11 msecs 10.246.68.26 : Answered in 32 msecs 10.246.68.27 : Answered in 11 msecs 10.246.68.28 : Request timed out 10.246.68.29 : Request timed out 10.246.68.30 : Answered in 10 msecs 10.246.68.31 : Request timed out 10.246.68.32 : Answered in 12 msecs 10.246.68.33 : Answered in 20 msecs 10.246.68.34 : Request timed out 10.246.68.35 : Request timed out 10.246.68.36 : Request timed out 10.246.68.37 : Answered in 14 msecs 10.246.68.38 : Answered in 8 msecs 10.246.68.39 : Answered in 11 msecs 10.246.68.40 : Answered in 8 msecs 10.246.68.41 : Request timed out 10.246.68.42 : Answered in 15 msecs 10.246.68.43 : Answered in 12 msecs 10.246.68.44 : Request timed out 10.246.68.45 : Answered in 16 msecs 10.246.68.46 : Answered in 11 msecs 10.246.68.47 : Answered in 15 msecs 10.246.68.48 : Answered in 11 msecs 10.246.68.49 : Answered in 8 msecs 10.246.68.50 : Answered in 15 msecs

What this tells us is that we have a really good idea that the IP addresses 10.246.68.1 through 10.246.68.10 are servers, and the remaining

addresses are client machines. This was determined by the fact that only servers should be active late at night and workstations should be active during the day. This is important information because depending on what an attacker is trying to do, he might want to go after a certain type of machine. If he wanted to install a backdoor on a machine, so he could access it late at night, but it is a user’s machine that gets shut off, then it does not help him very much. So, in this case, an attacker might want to target a server instead.

Protection

Ping is hard to protect against because if you disable ICMP traffic, which is what ping uses, you loose a valuable troubleshooting tool. Once again,

using private addresses inside your firewall limits the machines an

attacker could ping. You could block ICMP traffic at your external router, which would limit the information an attacker could obtain, but this would severely limit your ability as an administrator.

In document Hackers Beware pdf (Page 114-120)
Download now "Hackers Beware pdf"

Outline

Related documents